Hi All ,
After installing Splunk DB Connect via deployer in a search head cluster, should I configure the database connection via deployer UI or any Search Head UI for it to reflect on all Search Heads.
OR is it necessary to individually configure on all Search Heads?
Though DBconnect in SHclustering compatible, it is really complicated. Especially if you have Enterprise Security in the cluster it will cause CPU spikes and Splunk support requested to move out DBconnect from a ES SH cluster. Afterwards, I'm using heavy forwarder to pull DB data using DBconnect. So 1st preference is to use a Heavy forwarder or a Standalone Search Head to pull in the data rather than SH cluster.
If you really want to implement within a SH cluster, how we have done is
1. Splunk DBconnect app (setup in Staging Server and push it via deployer). There should NOT be any changes to this app other than the required driver for the database.
2. Create a new app. (MYAPPdbconnectinputs). Configure all your inputs in this app in staging server and push it via deployer to SH members. Ensure you put a stanza to have
disabled = false, so you can toggle if something goes wrong.
This way, you can control all your inputs via a single app (rather than updating it to the local of the official app). Also in a SH cluster the SH members receive the configuration into the "default" directory !! This makes complex as the original apps config will get mixed with your changes if you are using the original splunk's app.
Hi @Koshyk ,
Thankyou so much for your inputs.
Actually we currently have DB Connect V1 app in a standalone SH and not part of cluster. We intend to Upgrade it and migrate it to the SH Cluster. We do not have ES in the cluster so I believe we may not face CPU Spikes. Is there a neccessity to still create a different app ?MYAPPdbconnectinputsPlease correct me if I'm wrong here.
Also everytime I add a new identity/DB , can I add it in the deployer and push to all SHs via the official app OR if I add in any one SH will it reflect in remaining SHs of the cluster?
Please vote/accept if you find the answers useful.cheers